Thanis, Alex. I also found out these informations from Cisco web site. And for SNMP traps on IPS ver5.0, I also think also was too simple compare with IEV or MC. am I right? I hope cisco will improve their software on that. Why IDS can send out syslog as other systems?

Because then you wouldn't require their $20k ciscoworks software.

You comment is an easy statement to make, but IMHO unfair.

If you look at the Cisco IDS/IPS product line's history, you'll realize that the current RDEP/SDEE communications model is infinitely more secure, while remaining easy to use, than any other method one could propose.

Initially, the sensors pushed events to the centrally monitoring console via UDP (port 45000), with most of the data in the clear (the source and destination IP address were obfuscated). This is obviously not very safe because, even though the communications were pseudo connection-oriented due to checking by the application daemons at each end, it is possible to intercept and modify the IDS alert to inject false data.

This same problem exists with stock syslog, since everything goes on the wire as a UDP packet and there is no data obfuscation or encryption what so ever.

The distinct advantage to the current communications model is the fact that RDEP/SDEE use cryptography to protect your IDS/IPS alerts, and that is also uses a standards-based structure in XML-based forms to pass the data.

Finally, since Cisco has released an SDK for RDEP/SDEE, and many 3rd party vendors have software that can act as RDEP/SDEE clients, I disagree that you’re stuck with the CiscoWorks-based VMS suite. Besides, you only have to buy the suite if you need to manage more than 5 sensors, but I digress...

Alex Arndt

Hi Alex, yes I'm a bitter, bitter man. Can you point me to where I can download this SDK? I can't seem to find it. Is it free or will it cost me another $20k? :P

Gladly! You can find the RDEP/SDEE SDK for Cisco IDS/IPS here:

http://www.cisco.com/cgi-bin/dev_support/access_level/product_support?pcgi=1&product=IDS_INT_API

NOTE: You'll need you CCO login to access this URL.

As far as I know, the SDK is available for downloading at no cost.

I hope this helps,

Alex Arndt

Had a look at the rdep and sdee specs as well as the shun example. I had no idea - good on Cisco for using a standard. Being a lazy bastard I looked around and surprise suprise the almighty perl gods have already created a module for this:

http://search.cpan.org/~jminieri/Net-RDEP-0.03/lib/Net/RDEP.pm

The second example would allow you to create a rdep->syslog proxy type application that you could use to log to syslog. (The main/biggest thing required would be deciding on a syslog message format)

Andy

The IDS/IPS sensors (4.x and 5.x) do not serve syslog messages. Starting with 4.0, the mechanism for pulling events from the sensor is the RDEP XML/http interface (that IEV, MC secmon, and other 3rdparty apps use). To solve your design issue, you would have to write a converter application that pulls events from the sensor using RDEP and then serves them up as syslog messages.